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© Cryptographic data processing using cascade of cryptographic elements in feedback structure. 



© The invention provides a device (1) for encryp- 
ting or decrypting data packets, comprising storage 
means (14) for temporarily storing data packets, 
identification means (15) for identifying data packets, 
processing means (11, 12, 13) for cryptographically 
processing data packets, and memory means (16) 
for storing cryptographic information. The processing 
means (11, 12, 13) comprise, according to the inven- 
tion, a first (11) and a second (12) cryptographic 
element, the first cryptographic element (11) being 
designed for generating, on the basis of a first start- 



ing value, processing data for cryptographically pro- 
cessing a data packet, and the second cryptographic 
element (12) being designed for generating, on the 
basis of a second starting value, the first starting 
value. In addition, the processing means (11, 12, 13) 
according to the invention are designed for forming, 
on the basis of a cryptographically processed data 
packet, the second starting value, thereby ensuring 
the synchronization between corresponding encryp- 
ting and decrypting devices. 



CO 
CO 



CO 

rs 

CD 



a. 
ui 



i 



-so 



so- 



F1 



R1 



i 

13 



-16 



-17 



F2 



R2 



-12 



-SO 



Fig. 1 



Rank Xerox (UK) Business Services 

13. 10/3.09/3.3.41 



1 



EP 0 673 133 A1 



2 



BACKGROUND OF THE INVENTION 

The- invention relates to a device for processing 
data packets, comprising buffer means for tem- 
porarily storing data packets, identification means 
for identifying data packets, processing means for 
cryptographically processing data packets and 
memory means for storing cryptographic informa- 
tion. Such a device is disclosed in the US Patent 
Specification US-5,048,087 (Trbovich et al.). 

In the known device, a key and a cryptographic 
value are stored in a memory for each channel (or 
virtual connection). Said cryptographic value is the 
final value (cryptographic residue) of the crypto- 
graphic process used after carrying out a cryp- 
tographic processing on a data packet. In this 
method, said final value, that is to say the state 
(state vector) after the processing steps carried out, 
is stored in the memory as starting value (initializa- 
tion vector) for a subsequent data packet of said 
channel. This repeated use of the final value as 
new starting value has the disadvantage that the 
cryptographic security is relatively small because 
of the traversing (for a particular channel) of a large 
number of successive states of the cryptographic 
process concerned, as a cyclic repetition of the 
states may occur. Furthermore, the device accord- 
ing to the prior art has the disadvantage that, if one 
or more data packets are lost, the synchronization 
between encrypting and decrypting device will be 
lost as well. Thus, the loss of, for example, one 
data packet on the data connection will always 
result in the state of the preceding packet being 
used" in the decrypting device for the initialization 
of the cryptographic function (cryptographic pro- 
cess), as a result of which the "decrypted" data 
packets will be unrecognizably garbled in most 
cases. 

SUMMARY OF THE INVENTION 

The object of the invention is to eliminate the 
abovementioned disadvantages and other disad- 
vantages of the prior art and to provide a device 
which offers both a very high cryptographic secu- 
rity and, independently of the cryptographic pro- 
cess used, ensures synchronization of encrypting 
and decrypting devices, even in the event of the 
loss of a plurality of data packets. 

In addition, the object of the invention is to 
provide a device for cryptographically processing 
data packets which is suitable for high data rates, 
such as the data rate handled in ATM (asynchro- 
nous transfer mode) of approximately 155 Mbit/s. 

For this purpose, the device according to the 
invention is characterized in that the processing 
means comprise a first and a second cryptographic 
element, the first cryptographic element being de- 



signed for generating, on the basis of a first start- 
ing value, processing data for the cryptographic 
processing of a data packet, and the second cryp- 
tographic element being designed for generating, 
s on the basis of a second starting value, the first 
starting value, and that the processing means are 
designed for forming the second starting value on 
the basis of a cryptographically processed data 
packet. 

10 Because the processing means comprise a first 

and a second cryptographic element, the second 
cryptographic element providing the starting value 
of the first element, a very high cryptographic 
strength can be achieved since the starting values 

;s of the first cryptographic element are virtually in- 
dependent of the preceding final values. In addi- 
tion, it is possible in this way to design the two 
elements in a cryptographically simpler way than a 
comparable single element, as a result of which, 

20 firstly, higher processing rates and, secondly, 
smaller states (state vectors, such as starting and 
final values) are possible. The smaller starting and 
final values can, in turn, be retrieved or stored 
more quickly, and this results in a further increase 

25 in rate. 

The two cryptographic elements may carry out 
different cryptographic processes, possibly with dif- 
ferent complexities. With a constant cryptographic 
strength of the device, the complexities of the 

30 elements are essentially complementary. According 
to a preferred embodiment of the invention, how- 
ever, the cryptographic elements are identical, that 
is to say they carry out identical cryptographic 
processes. 

35 Advantageously, the processing means are de- 

signed for interchanging the functions of the first 
cryptographic element and the second crypto- 
graphic element. As a result, it is not necessary to 
transfer starting or final values of one cryptographic 

40 element to the other, which makes the processing 
of very rapidly succeeding data packets possible. 

In a preferred embodiment, at least one cryp- 
tographic element is provided with plural registers. 
With the aid of two or more registers per cryp- 

45 tographic element, it is possible to carry out a 
cryptographic processing, such as the generation 
of a new final value, on the content of a first 
register, while at least one other register remains 
available for temporarily storing a value generated 

so earlier or to be used later, and therefore functions 
as a buffer. In this case, the registers are advanta- 
geously designed for copying the content of a 
register to another register. In the case of parallel 
copying, in particular, a rapid transfer of the values 

55 to the various registers is therefore possible, as a 
result of which the processing means are able to 
shift rapidly to the generation of new values. 
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The device according to the invention is prefer- 
ably accommodated in an application-specific in- 
tegrated circuit (ASIC). 

The invention furthermore provides a method 
of generating cryptographic processing data, com- 
prising carrying out a first cryptographic processing 
on a first starting value, a final value of the first 
cryptographic processing being used as processing 
data, characterized by the carrying out of a second 
cryptographic processing on a second starting val- 
ue, a final value of the second cryptographic pro- 
cessing being used as first starting value for the 
first cryptographic processing, and the second 
starting value being formed on the basis of a key 
and data which have been combined with process- 
ing data. 
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The above references are herewith incorporated in 
this text. 

EXEMPLARY EMBODIMENTS 

The invention will be explained in greater detail 
below by reference to the figures. 

Fig. 1 shows diagrammatically a first embodi- 
ment of the device according to the invention. 

Fig. 2 shows diagrammatically a second em- 
bodiment of the device according to the invention. 

Fig. 3 shows diagrammatically a third embodi- 
ment of the device according to the invention. 

Fig. 4 shows diagrammatically a fourth embodi- 
ment of the device according to the invention. 

Fig. 5 shows diagrammatically a system for the 
encrypted transfer of data packets, in which the 
invention is used. 

In the encrypting device 1 according to the 
invention shown diagrammatically and by way of 
example in Fig, 1, the processing means comprise 
a first cryptographic element 11, a second cryp- 
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tographic element 12 and a combination element 

13. The buffer means are formed by an input buffer 

14. Said input buffer 14 is coupled to an identifica- 
tion unit 15, which forms the identification means. 

s The memory means comprise a memory 16 which 
is connected to the first cryptographic element 1 1 
and the second cryptographic element 12 by 
means of a data bus 17. In the embodiment shown, 
the device is controlled by the identification unit 15, 
w which emits suitable control signals (for example 
SO) for this purpose. Possibly, however, a separate 
control unit may be provided. Furthermore, if nec- 
essary, an output buffer connected to the combina- 
tion element 13 may be provided (not shown). 
;5 A data packet which arrives in the device 1 is 

temporarily stored in the input buffer 14 until the 
identification unit 15 has identified the data packet 
and the processing means are ready to process 
the data packet. The identification of a data packet 
20 comprises determining the (logical) channel of the 
data packet, "channel" also being understood here 
to mean a virtual path or connection of a different 
type, possibly virtual. In the case of ATM, for 
example, the identification unit 15 determines the 
25 virtual channel or the virtual connection r on the 
basis of the "virtual channel identifier" (VCI) or the 
"virtual path identifier" (VPI), that is to say- on the 
basis of information present in the header of the 
data packet. For this purpose, the header of the 
30 data packet may be copied from the input buffer 14 
to the identification unit 15. In addition to determin- 
ing the channel, further information may, if neces- 
sary, be derived both from the header and from the 
data field of the data packet. 
35 If the data packet is identified, processing in- 

formation is read out of the memory 16, for exam- 
ple information which specifies whether data pack- 
ets of the channel concerned have to be encrypted, 
decrypted or not processed at all. If a processing 
40 of the data packet is necessary, a corresponding 
key may be read out of the memory 16 on the 
basis of the (channel) identification. A separate 
memory (not shown) may also be provided for the 
purpose of storing keys. 
45 The processing, in the present case encryp- 

ting, of a data packet takes place as follows. A 
starting value (starting vector) associated with the 
channel concerned, is loaded into the cryptograph- 
ic element 11 from the memory 16. For this pur- 
50 pose, the element 1 1 can be conceived as divided 
up functionally into a register R1 and a cryp- 
tographic function F1, it being possible for the 
register R1 to comprise memory elements, such as 
flip-flops. The function F1, which is embodied, for 
55 example, by a microprocessor and a memory, cal- 
culates, in a number of steps, a new cryptographic 
value (final value) from the starting value. Prefer- 
ably, like the final value, the starting value has a 
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length of 256 bits, and the function carries out 48 
steps (corresponding to the 48 data bytes of an 
ATM packet), which successively yields 48 states 
having associated state vectors (intermediate val- 
ues). One byte (octet) is successively extracted 
from each state of 256 bits, which byte forms the 
"running key" of a corresponding data byte of the 
data packet. In the combination element 13, the 
bytes of the running key ("processing bytes") are 
combined with the data bytes of the data packet. 
Preferably, this takes place by addition modulo 2 of 
the corresponding bits, but other operations, such 
as multiplication, are also possible in principle. 

The processing element 1 1 is preferably de- 
signed so that the header of a data packet is not 
changed. In the case of the bytes of the header for 
example, this can readily be achieved by modulo 2 
addition of processing bytes which comprise only 
zeros. For this purpose, the identification unit 15 
(or, if present, a separate control unit) activates the 
cryptographic element 1 1 or the combination ele- 
ment 13 by supplying suitable control signals (for 
example, SO). 

The values of the first eight processed (encryp- 
ted) bytes emitted by the combination element 13 
are copied to the cryptographic element 12 and 
stored in a register R2 present for this purpose. In 
this connection, the register R2 may be construct- 
ed from memory elements, such as flip-flops, pos- 
sibly interlaced with the function F2. In the element 
12, said 64 bits are placed one after the other in a 
total of four copies, which results in a number 
having a length of 256 bits. For said number, the 
key of the channel concerned, which also has a 
length of 256 bits, is added modulo 2. The result- 
ing number functions as starting value (starting 
vector) for the cryptographic function F2. The final 
value (final vector), which is stored in the memory 
16 and will be used for the function F1 as starting 
value for the subsequent data packet of the chan- 
nel concerned, is then calculated in, preferably, 40 
steps. 

As a result of using only a limited number of 
bytes, such as the abovementioned first eight 
bytes, of each processed data packet instead of, 
for example, all 48 data bytes of an ATM data 
packet for forming a starting value, the result is 
achieved that the formation of a new starting value 
can be started even during the processing of the 
data packet. It will be clear that the processing rate 
of the device can be higher as a result of this. 

In the device according to the invention, there- 
fore, data of a processed data packet, preferably 
combined with a key, is used to provide the start- 
ing value of a cryptographic process. The final 
value of said process is used as starting value of 
another process which generates the running key 
for the encryption or decryption. In the embodi- 



ment shown, a data packet is always encrypted on 
the basis of a starting value which is determined on 
the basis of the preceding data packet of that 
channel. This achieves the result that a minimum 
s number of data packets is incorrectly decrypted in 
the event of the loss of a data packet at the 
receiving end. The device according to the inven- 
tion may also, however, be constructed so that the 
encrypting of a data packet is determined not as a 
w function of the last data packet of that channel, but 
as a function of, for example, the penultimate data 
packet, so that one data packet is passed over. A 
plurality of data packets may possibly be passed 
over. In principle, the starting value of the encryp- 
75 ting process can also be based on an earlier data 
packet of another channel, for example the last 
data packet encrypted by the device. However, this 
results in a certain degree of mutual dependence 
of the channels, which is generally cryptographi- 
20 cally undesirable. 

In the processing means shown, a combination 
element 14 is present for combining, for example, 
a bit stream to be encrypted with an encrypting bit 
stream. Such a combination element may be 
25 formed, for example, by an exclusive-OR gate. It is 
also possible, however, to construct the processing 
means in such a way that the cryptographic pro- 
cess of the cryptographic element 11 acts directly 
on the data of a data packet and does not therefore 
30 produce a separate running key. In that case, the 
separate combination element 13 can be omitted. 

The actual cryptographic process used in the 
cryptographic elements 11 and 12 is, in principle, 
arbitrary, as long as it produces a cryptograph ical 
35 value based on a starting value. Suitable processes 
are e.g. the well-known DES algorithm (reference 
7) and the RSA algorithm. See also reference 1. 

The device 1 of Fig. 1 may be constructed 
from discrete, commercially available components, 
40 but is preferably accommodated, at least partly, in 
an application-specific integrated circuit (ASIC). 
The device 1 is suitable not only for rapidly en- 
crypting ATM data packets, but also for processing 
data packets which are transferred in accordance 
45 with other protocols, such as X.25. It will be clear 
that the given numerical values such as the num- 
ber of bits in a key, the number of steps of a 
cryptographic process and the number of bytes to 
be encrypted, may vary as a function of the spe- 
50 cific application or implementation and are given 
here only by way of example. Although the inven- 
tion is described here by reference to the process- 
ing of data packets, the inventive idea can be used 
just as well in the processing of data streams not 
55 consisting of data packets. 

The device 1* according to the invention shown 
diagrammatically in Fig. 2 largely corresponds to 
the device 1 of Fig. 1, but is adapted for the 
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decrypting of data packets. The device 2 also 
comprises a first cryptographic element 1 1 , a sec- 
ond cryptographic element 12, a combination ele- 
ment 13, an input buffer 14, an identification unit 
15, a memory 16, and a data bus 17. In contrast to s 
Fig. 1, thepositions of the elements 11 and 12 are 
interchanged in Fig. 2, that is to say the element 
12 is connected to the input buffer 14 and the 
combination element 13, so that the contents of 
encrypted data packets are supplied to the element w 
12. It will be clear that the input buffer 14 of the 
device 2 receives encrypted data packets and that 
said data packets are decrypted in the combination 
element 13, if that is desirable for the channel 
concerned. The decryption takes place in this case 75 
by combining the data of a data packet with a 
running key. In the case where the data have been 
encrypted by the addition modulo 2 of a running 
key, the decryption takes place by the addition 
modulo 2 of an identical running key. 20 

Fig. 3 shows a device according to the inven- 
tion which is suitable for both encryption and de- 
cryption. The device 1" of Fig. 3 largely corre- 
sponds to the devices 1 and 1\ respectively, of 
Fig. 1 and 2. As a departure from Fig. 1 and 2, 25 
however, selection means 18 are provided between 
the cryptographic element 12, on the one hand, 
and the outputs of the combination element 13 and 
the input buffer 14, on the other. The supplying of 
a selection signal S1 to the selection means 18, 30 
which may be constructed, for example, of AND 
gates, connects either the output of the buffer 14 
(decryption), or the output of the combination ele- 
ment 13 (encryption) to the cryptographic element 
12. The selection signal S1 can be generated ei- 35 
ther by the identification unit 15 (or a control unit 
coupled thereto), for example in response to the 
identification of a channel, or by external means, 
such as a selection switch (not shown). 

In the case of the devices of Fig. 1,2 and 3, a 40 
final value has to be written for each data packet 
into the memory 16, while a starting value has to 
be retrieved from the memory. In the given exam- 
ple, the length of these values is 256 bits. In the 
case of very high data rates, such as required in 45 
the case of ATM, the timely transfer of the respec- 
tive starting and final values in the abovementioned 
embodiments can take place only if very wide data 
paths (for example, data bus 17) are used, which 
makes the device relatively expensive. In principle, 50 
it is possible to reduce the length of the said 
values, but this also reduces the cryptographic 
security. According to a further aspect of the 
present invention, therefore, different embodiments 
are provided which make it possible to transfer, 55 
even at very high data rates, starting and final 
values comprising a large number of bits and 
therefore offering a high cryptographic security. 
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Firstly, the data bus 17 can be split into two 
separate data buses 171 and 172 (not shown), the 
first data bus 171 being connected to the memory 
16 and the first cryptographic element 11, while the 
second data bus 172 is connected to the memory 
16 and the second cryptographic element 12. As a 
result, it is possible to exchange simultaneously 
information between the memory 16 and the ele- 
ment 1 1, on the one hand, and the memory 16 and 
the element 12, on the other. For this purpose, the 
memory 16 is advantageously constructed so that 
writing into a first section can take place while 
reading out from a second section can take place 
simultaneously. In particular, the memory 16 may 
be designed for copying information, from the sec- 
ond to the first section, so that final values written 
earlier into the second section can simultaneously 
be read out from the first section and new final 
values can be written into the second section. 

Secondly, the registers R1 and R2 of the ele- 
ments 11 and 12 can be constructed in duplicate, 
so that not only a value on which an operation is 
being carried out at that instant can be stored in 
each register, but also a subsequent value. This 
will be explained in greater detail below by refer- 
ence to Fig. 4. 

Thirdly, the device can be constructed so that 
the registers R1 and R2 are able to exchange their 
respective content simply and quickly, for example 
as a result of the presence of a sufficiently wide 
data path (data bus) between the registers: This is 
advantageous, in particular, if two successive data 
packets to be processed belong to the same chan- 
nel. For the purpose of this exchange, the elements 

11 and 12 can advantageously be constructed in 
integrated form so that the registers R1 and R2 are 
arranged in parallel and at a short distance from 
one another. 

Fourthly, the device can be constructed so that 
the function of the cryptographic elements 1 1 and 

12 can interchange. This will be explained in great- 
er detail by reference to Fig. 4. This, too, is ad- 
vantageous, in particular, if two successive data 
packets to be processed belong to the same chan- 
nel. In this case, the content of the register R2 no 
longer has to be transferred to the register R1 
since R2 takes over the function of R1 as a result 
of the exchange. In such an embodiment, the cryp- 
tographic functions F1 and F2 will generally be 
identical. 

Fifthly, the processing means may be designed 
for forming the starting value on the basis of a data 
packet other than the last data packet (of the 
channel concerned), as already stated above. By 
"passing over" a data packet in the sense of not 
using said data packet for forming a starting value, 
time is gained for writing and reading out informa- 
tion (such as starting and final values). The dis- 
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advantage of this is that more data packets will be 
incorrectly decrypted in the event of a loss, that is 
to say non-arrival or deformed arrival, of a data 
packet at the receiving end. 

Furthermore, according to the non-prepublish- 
ed Dutch Patent Application NL-A-93,01841, the 
device may be provided with a plurality of parallel 
processing means. As a result, a very high pro- 
cessing rate can be achieved, since a plurality of 
data packets can be processed simultaneously (or 
virtually simultaneously). Dutch Patent Application 
NL-A-93,01841 is hereby incorporated by reference 
in this text. 

The encrypting device 1 ,M according to the 
invention shown in Fig. 4 is constructed so that a 
very high processing rate can be achieved even 
with relatively long starting and final values, how- 
ever without constructing a plurality of the process- 
ing means. The device 1"' of Fig. 4 largely cor- 
responds to the device 1 of Fig. 1, but the process- 
ing means are additionally provided with selection 
means 19, which comprise a first selection element 

191 and a second selection element 192. In addi- 
tion, the registers R1 and R2 in Fig. 4 are con- 
structed in duplicate, as will be explained in greater 
detail later. 

The selection means 19 offer the possibility of 
interchanging the functions of the cryptographic 
elements 11 and 12. For this purpose a first input 
of the selection element 191 is connected to the 
register R1 and a second input to the register R2, 
while the output is connected to the combination 
element 13. A selection signal S2, which connects 
either the register R1 or the register R2 to the 
combination element 13, can be supplied to a 
control input of the selection element 191. In a 
comparable way, the input of the selection element 

192 is connected to the output of the combination 
element 13 and the outputs of the selection ele- 
ment 192 are connected to the register R1 and the 
register R2, respectively. The output of the com- 
bination element 13 can be connected either to the 
register R1 or to the register R2 by supplying a 
selection signal S2 to a control input. Depending 
on the selection signal S2, the operation of the 
device of Fig. 4 will therefore, in -a first mode, 
correspond completely with that of Fig. 1. In a 
second mode, the cryptographic elements are 
functionally interchanged with respect to Fig. 1 , so 
that the function F1 determines the starting value of 
the function F2 and the final value of the function 
F2 is supplied to the data to be processed. The 
selection signal S2 may be generated in the iden- 
tification unit 15 or in a separate control unit (not 
shown). Preferably, the selection signal S2, or a 
signal related thereto, is also supplied to the cryp- 
tographic elements 1 1 and 1 2 and to the memory 
16 in order to ensure that the correct information 
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(such as starting and final values and keys) is 
transferred to the correct element. 

The functional interchange of the cryptographic 
elements makes it possible in the case of data 

5 packets of the same channel which are to be 
processed successively to supply very rapidly the 
final value of one function (for example F1) as 
starting value to the other function (for example 
F2). No transfer of said value from one register (for 

w example R1 ) to the other register (for example R2) 
therefore needs to take place. As a result, very 
large values, that is to say having a large bit length 
and therefore having a high cryptographic security, 
can be used. 

75 If two successive data packets belong to dif- 

ferent channels, in most applications the final value 
of one function (for example F2) cannot directly be 
used as starting value by the other function (for 
example, F1) so that said final value has to be 
20 stored. In order to avoid delay as a consequence of 
congestion on the data bus 17 or limited access 
times of the memory 16, the device of Fig. 4 is 
provided with double registers, which offer the pos- 
sibility of temporarily storing a second value. For 
25 this purpose, the register R1 comprises a section 
R1a and a section Rib, both sections preferably 
being capable of containing an entire starting or 
final value (in the above example, 256 bits). The 
register R2 likewise comprises a section R2a and a 
30 section R2b. If, for example, the device is now 
operating in the first mode (according to Fig. 1) 
and two successive data packets belong to dif- 
ferent channels, a final value which has to be 
stored in the memory 16 will be present in the 
35 register R2, for example in the section R2a, after 
the encrypting of the first packet. At very high data 
rates, the time between two data packets may be 
insufficient to transfer the, for example, 256 bits of 
said value to the memory 16. For this reason, in 
40 the embodiment of Fig. 4, the content of one 
register section (for example R2a) can be copied to 
the other register section (for example, R2b). This 
releases one register (R2a) for receiving and pro- 
cessing fresh data, while the final value determined 
45 can be transferred from the other section (R2b) to 
the memory 16. As a result, the transfer via the 
data bus 17 and the determination of a fresh value 
can take place simultaneously. As an alternative to 
copying from one register section to the other 
so register section, the operation elements can be 
constructed so that the register sections are alter- 
natingly connected to the corresponding function 
(F1 or F2) or to the data bus 17 and the inputs and 
outputs of the respective cryptographic elements. 
55 For this purpose, like the selection means 19 
shown in Fig. 4, internal selection means may be 
provided for the processing means. 
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It w.ll be clear that the additional measures 
shown in Hg. 4 can also be used separately for 
example by constructing the registers R1 and R2 in 
duplicate without carrying out a functional inter- 
change of the elements 11 and 12. Characteristics 5 
of the device of Fig. 4 may also be combined with 
for example, the device 1" of Fig. 3. 

The communication system 9 shown in Fig 5 
comprises a network 91. to which a plurality of 
security units 92 are connected. An end user 93 is to 
connected to each security unit 92. The network 91 
is. for example, an ATM network and the end users 
93 are, for example, digital telephone sets data 
terminals and/or payment terminals. Each security 
unit 92 comprises at least one encrypting device 1 ,s 
and one decrypting device r according to the 
invention, or a combined device 1" as shown in 
Fig. 3 a device r» as shown in Fig. 4. or another 
embodiment of the device according to the present 
myention. The system 9 constructed in accordance 20 
with the invention makes possible a rapid, secure 
transfer of data packets. 

It will be understood by those skilled in the art 
that the invention is not limited to the exemplary 
embodiments shown and that many modifications 25 
and additions are possible without departing from 
the sp.nt and scope of the present invention. 

Claims 

1. Device (1; r ; V '; V") for cryptographicaily 

processing data packets, comprising: I 

- buffer means (14) for temporarily storing 
data packets, 

- identification means (15) for identifying 35 
data packets, 

- processing means (11. 12. 13) for cryp- 
tographicaily processing data packets 9 
and 

- memory means (16) for storing crypto- 40 
graphic information, 

characterized in that 

- the processing means comprise a first 
(1 1) and a second (12) cryptographic ele- 
ment, the first cryptographic element (1 1) 45 
being designed for generating, on the 
basis of a first starting value, processing 
data for the cryptographic processing of 
a data packet, and the second crypto- 
graphic element (12) being designed for 50 
generating, on the basis of a second 
starting value, the first starting value and 
in that 

- the processing means are designed for 
forming the second starting value on the ss 
basis of a cryptographicaily processed 
data packet. 



2. Device according to claim 1. wherein the pro- 
cessing means are designed for encrypting 
data packets. 

3. Device according to claim 1. wherein the pro- 
cessing means are designed for decryptino 
data packets. 

4. Device according to claims 2 and 3. wherein 
the processing means are designed for option- 
ally encrypting or decrypting data packets. 

5. Device according to any of the preceding 
claims, designed for processing data packets 
from different logical channels and for storing 
in the memory means (16), for each channel a 
key and/or a first starting value. 

6. Device according to any of the preceding 
claims, wherein the processing means com- 
prise a combination element (13) for combining 
processing data with data of data packets to 
be processed, the combination element (13) 
preferably comprising a modulo-2 adder. " 

■ Device according to any of the preceding 
clams, wherein the first cryptographic element 

(11) and the second cryptographic • element 

(12) are designed for carrying out identical 
cryptographic functions. 

Device according to claim 7. wherein the pro- 
cessing means are designed for interchanging 
the functions of the first cryptographic element 
(11) and the second cryptographic element 

Device according to any of the preceding 
claims, wherein the processing means are de- 
signed for forming the second starting value on 
the basis of a key and the first eight bytes of a 
processed data packet. 



10. Dev.ce according to any of the preceding 
claims, wherein the processing means are de- 
signed for directly exchanging values between 
the cryptographic elements (11, 12). 

11. Device according to any of the preceding 
claims, wherein at least one cryptographic ele- 
ment (e.g. 11) is provided with plural registers 
(e.g. R la. Rib). 

12. Device according to claim 11, wherein the reg- 
isters are designed for copying the content of 
one register (e.g. Ri a ) to another register 
(e.g.Rib). a 
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13. Device according to any of the preceding 
claims, provided with at least two parallel pro- 
cessing means. 

14. Device according to any of the preceding 5 
claims, suitable for processing ATM cells. 

15. Device according to any of the preceding 
claims, accommodated in an integrated circuit. 

w 

16. Method of generating cryptographic processing 
data, comprising carrying out a first crypto- 
graphic processing on a first starting value, a 
final value of the first cryptographic processing 
being used as processing data, characterized is 
by the carrying out of a second cryptographic 
processing on a second starting value, a final 
value of the second cryptographic processing 
being used as first starting value for the first 
cryptographic processing, and the second 20 
starting value being formed on the basis of a 

key and data which have been combined with 
processing data. 

17. System (9) for transferring data by means of 25 
encrypted data packets, comprising at least 

one device (92; e.g. 1,1') according to any of 
claims 1 to 15 inclusive. 

18. System (9) according to claim 17, designed for 30 
transferring data packets in accordance with 

the asynchronous transfer mode (ATM). 
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